Home Depot agreed to pay at least $19.5 million to compensate U.S. consumers harmed by a 2014 data breach affecting more than 50 million cardholders.
Home Depot also agreed to improve data security over a two-year period, and hire a CISO to oversee its progress, it said. It will separately pay legal fees and related costs for affected consumers, said NBC News.
In the preliminary settlement, Home Depot did not admit wrongdoing or liability in agreeing to settle.
"We wanted to put the litigation behind us, and this was the most expeditious path," spokesman Stephen Holmes said. "Customers were never responsible for any fraudulent charges."
Home Depot has said the breach affected people who used payment cards on its self-checkout terminals in U.S. and Canadian stores between April and September 2014.
According to NBC News, Home Depot said the intruder used a vendor's user name and password to infiltrate its computer network, and used custom-built malware to access shoppers' payment card information.